Gaming

How Zelda fans changed the ending to Ocarina of Time on a vanilla N64

Arbitrary code execution, driven by four rapid-fire N64 gamepads, does wonders.

Shortly after our guide to Summer Games Done Quick 2022 went live, the event hosted an astounding demonstration of a classic video game—one that has since crowded that Ars article’s replies. If we want to split hairs, this run through the 1998 N64 classic Legend of Zelda: Ocarina of Time is not a “speedrun,” but it’s another example of the “TASBot” concept transforming games in ways we would never have dreamed of 24 years ago.

The team of fans and programmers responsible for this week’s “Triforce-percent” demonstration have since revealed how they achieved the feat with nothing more than a stock N64 and an original Ocarina retail cartridge—though the secret involves controller inputs so fast and precise that they cannot be performed by anything less than a computer.

Nothing stale about this run

An early 2020 video that explains how stale reference manipulation works. You may want to watch this before watching the SGDQ 2022 video, embedded further below.

The 53-minute demonstration (embedded at the end of this article) opens with an exploit previously unearthed in late 2019, which the community dubbed “Stale Reference Manipulation.” This exploit takes advantage of a vulnerability in the game’s original 1.0 version, which allowed players to manipulate numerical values assigned to specific objects in the game’s memory. The breeziest explanation for this complicated technique can be found in a YouTube video from early 2020 (embedded above), as it spells out the various numerical values assigned to each object in the game, such as their X-, Y-, and Z-axes and their rotation.

Savvy players can make values overlap or overwhelm the game’s original code so they can be manipulated as players see fit. The technique we see in this week’s run requires Link to pick up a rock while going through a “loading zone,” a hallway used to disguise loading pauses on N64 hardware, and to do so in a way that the game was not designed to handle.

Initially, this exploit was a speedrunning tool, as it could trick the game into loading the final credits sequence and technically count as a “completion” within only a few minutes. But the Triforce-percent run goes much further.

RAMming new content into a classic game

Hey, wait, that doesn't belong here... but as the TASBot demonstration team points out, an Arwing from <em>Star Fox 64</em> was left in the original <em>Ocarina</em> cartridge, as a reminder that this object was used to test certain animation routines in the early development period.

 

By picking up and dropping specific items, then making the game’s hero Link move and perform maneuvers in a specific sequence, the TASBot team opens up a Pandora’s box of what’s known as arbitrary code execution—the type of vulnerability used by hackers the world over to make a closed computer system run whatever code they want. What’s more, the TASBot chain of moves and commands begins to tell the N64 to accept button input from all four N64 controllers as if it’s code.

This item-manipulation menu was left in the game as a beta element, easily unearthed for use in the SGDQ 2022 run.

 

At this point, a computer takes over all four N64 controller ports and sends a rapid-fire series of button taps, as if it were a zillion-finger superhero equivalent to The Flash. The glitched-out Ocarina cartridge has instructed the N64 to accept each button tap in a way that corresponds to specific code strings. Once enough of this payload has been sent, the team can return normal control to the “player one” port, so that a real person can play through an entirely new sequence of content—all being dumped into the N64’s random-access memory (RAM) by the other three controllers’ incredibly fast input.

These on-the-fly patches can do many incredible things that, combined, resemble a fully blown patch of a cartridge’s read-only memory (ROM), though the TASBot team restricts itself to changes that specifically apply to the console’s RAM: tiny changes to existing code, total file replacements, or commands to tell the game to ignore content that it would normally load from the ROM. As a result, this exploit can glitch or crash if players go outside the expected path that this exploit is optimized for.

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button